09.3: Homework

Within your course repository, create a directory for the homework, then commit and push to your remote repository.

cd <path_to_repo>
mkdir hw9
touch hw9/app.py
touch hw9/screencast_url.txt
git add hw9
git commit -m "initial commit"
git push

In this homework, based on the lab exercises, you will construct or deploy MCP servers that agents can leverage to identify and exploit vulnerable services. Example target applications include:

CTF exercises (Github Secure Code Game, Overthewire CTFs, picoCTF, cs205 CTF, cs492 CTF, angr CTF)
Portswigger Web Security Academy levels (SSRF, Command injection, File-path traversal, Information disclosure, Deserialization, Insecure File upload, XXE)
Publicly available vulnerable servers (Vulnhub, awesome-vulnerable-apps, Metasploitable, Web for Pentester VMs)

You may perform the exploitation by utilizing:

Your own agent and MCP server that extends what has been given in lab exercises
State-of-the-art agentic frameworks such as Strix, Kali-MCP, or Blacksmith to perform a comprehensive vulnerability analysis of the set of virtual machines utilized in the week's lab.
State-of-the-art frameworks such as PromptFoo to perform a comprehensive vulnerability analysis of the set of LLM applications utilized in the course.

Note that when testing these tools on Google Cloud resources, take care to point them only to the internal IP addresses of servers you deploy on your Google Cloud Project (e.g. 10.x.y.z). If utilizing your own agent, ensure your development should be organized and incremental, with frequent commits into your git repository. Code should also be properly documented via Python docstrings. In addition, you must also ensure API keys do not show up in your source files, but rather are passed in via environment variables. Ensure your application code is pushed to your repository before class.

Screencast

Upon completing your application, via a narrated screencast of no longer than 5 minutes, you will perform a demonstration and walk-through of the successful exploitation of a vulnerable service. Ensure that the video camera is turned on initially in your screencast. The screencast should follow the order given below:

Check out the application source code from your course repository or demonstrate the setup of tools you will be using
Demonstrate the application successfully exploiting the vulnerable service.
For custom agents, perform a source code walk-through via the git commits on Gitlab to explain how the application has been incrementally implemented.

Upload your completed screencast on MediaSpace. Ensure that it is published as "Unlisted". Then, update the file screencast_url.txt in the homework's directory to contain the URL that your unlisted screencast on MediaSpace is located. Push the changes that include the updated URL to your repository before class.

Rubric

We will be using your screencast and git repository to evaluate your homework.

Code checkout and tool setup shown

Demonstration of exploitation on vulnerable service

Walkthrough of source code via git commits shown on Gitlab.

Instructions followed properly including code submission in the specified repository files, sequencing and length of screencast.